It is possible to sniff data but what can thieves do with it?
Contactless smart cards have been touted for their speed and convenience. But does the technology make it easier for pickpockets to be contactless, too?
Experts say that although it’s possible for a fraudster to buy a card reader on eBay and use it to scan people’s pockets on a subway, there are numerous protection mechanisms in place to keep stolen data from being used as well as new, emerging encryption standards that will further limit such threats.
There are 1877 words in the rest of this article …
Library Access Required
Library subscribers have access to the full archives of more than 10,000 original news items and feature articles published by AVISIAN’s suite of ID technology publications (ContactlessNews.com, CR80News.com, DigitalIDNews.com, FIPS201.com, NFCNews.com, RFIDNews.org, SecureIDNews.com, and ThirdFactor.com).
For just $49, you receive unlimited password-protected access to content on all of AVISIAN’s sites for an entire year. Your subscription helps fund the continued creation of independent, insightful content. Find out more.
Sign in as a Subscriber
If you are already a subscriber, you may sign in now. Enter your Email Address and Password and click Sign In.
If you have forgotten your password, enter just your Email Address, and click Send Password.
There is a perfectly good scenario that makes Contactless easy to exploit... I set up a shop over Christmas, selling discounted goods. It will only be there a month. I fit a nice big antenna around the door and link it to a legitimate Contactless reader (although the acquiring contract will of course be in a false name). Everyone who walks through my door who has a Contactless card is being charged $25 without knowing it. They will only know when they get their card bills, by which time I'm long gone as after a month I close the shop and disappear
Why mess about with contactless? Why not just show $25 on the register but charge $125 through the normal magnetic stripe reader?
I tend to agree with Dave. If you are going to the trouble of setting up a phony storefront with contactless antenna in the EAS gates or at the door, you could commit fraud in a lot of other ways. But if you could do it on the sly at the some public access door ... ?
Well that was my point really. The store is just an example (but I don't have to buy any stock or sell anything, just get lots of people through that nice door shaped antenna!). With no CVM and floor or ceiling limits to worry about, making un-known and invisible transactions is actually quite easy. Because ISO14443 is a field modifying protocol, you can just crank the antenna power up as much as you like to illuminate the card at almost any distance (hey, I'm a bad guy, I don't mind saturating you in RF energy in my doorway!). As long as the card creates a detectable field variation I can talk to it and make a transaction
To light up a card from, say, a metre away, you would have to pump out so much power that laptops in the area will reboot and coins will start sparking. It's not a realistic attack.
But I'm curious. Do you genuinely think that banks are so stupid that they never thought of this?
http://digitaldebateblogs.typepad.com/digital_money/2008/03/yet-another-dum.html
This is wrong "Encrypting the card adds another layer of safety. “If encrypted,” says McGoran, “the data snooped by an attacker is useless, as it appears as gibberish without the decryption key.”
It is very straightforward to pull off the Credit Card Number and expiration date from an RFID enabled credit card using an off the shelf payment terminal. There are several vendors that only need this data to make a transaction.
Here are videos demonstrating the skimming. On the street: http://www.youtube.com/watch?v=hcSss9BHPFo In a lab: http://www.youtube.com/watch?v=esXkUQ4-wDs
Michael,
Yes, it .ay be possible with some cards now but McGoran's point is that if the credit card issuers started to use encryption then it wouldn't be possible to get the data.
Contactless transactions are already taking longer than they should. As the Oracle survey found out, there is little speed benefit to tapping over swiping. Also, as there is no collision detection or management, you can't just 'wave your wallet' if you have more than one contactless card! Adding encryption will slow the transaction even more. The case for plastic cards in payment is very weak. NFC phones may just have an edge because of the extra functionality and being 'always in the pocket', but plastic cards with contactless is a nonsense solution looking for a problem (with the notable exception of transportation cards)